How to Configure DMARC for Your Domain
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy telling recipients what to do with messages failing SPF/DKIM. Published as a _dmarc.example.com TXT record. Minimum: v=DMARC1; p=none; rua=mailto:dmarc@example.com. Standard rollout: p=none → 2 weeks of monitoring → quarantine → reject.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Confirm SPF and DKIM are already working
- Create a reporting address:
dmarc@example.com(or use a service like dmarcian.com) - Starter TXT record: name
_dmarc, valuev=DMARC1; p=none; rua=mailto:dmarc@example.com - Monitor reports for 2 weeks — ensure legitimate mail passes
- Move to
p=quarantine; pct=25(25% of unauthenticated mail → spam) - A week later:
p=quarantine; pct=100, another week later:p=reject; pct=100 - Verify with Enterno DKIM/DMARC Checker
Working Examples
| Scenario | Config / Record |
|---|---|
| Starter (monitoring) | v=DMARC1; p=none; rua=mailto:dmarc@example.com; fo=1 |
| Quarantine 25% | v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com |
| Final (reject) | v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; adkim=s; aspf=s |
| Subdomain policy | v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com |
| Parked domain (sends no mail) | v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s |
Common Pitfalls
- p=reject without monitoring — legitimate mail disappears. Always start with p=none
adkim=s(strict) requires exact d= match in DKIM. Relaxed (r) allows subdomain- No rua= — no reports, you don't know what breaks
- Forwarders (mailing lists) often break SPF and DKIM — you will see fail in reports, that is normal
- DMARC only works if SPF and/or DKIM are configured. Without them it is useless
Why teams trust us
How it works
Enter domain and selector
Fetch DKIM TXT record
Validate public key
What is DKIM?
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.
Selector-based Check
Specify domain and DKIM selector — get the public key and its parameters.
Key Analysis
RSA/Ed25519 key length, hash algorithm, flags, and validity period.
Recommendations
If key < 2048 bits — we issue a warning and key rotation instructions.
Instant Result
Direct DNS query in seconds — no waiting for TTL.
Who uses this
Email marketers
pre-send verification
Sysadmins
mail server setup
Security
phishing protection audit
Developers
email deliverability debug
Common Mistakes
Best Practices
Get more with a free account
DKIM check history and DNS monitoring for domain record changes.
Sign up freeLearn more
Frequently Asked Questions
What are rua and ruf?
<code>rua</code> — aggregate reports (daily stats from Gmail/Yandex). <code>ruf</code> — forensic reports (individual failed messages, optional). rua is enough for 99% of cases.
Does a small site need DMARC?
Yes. Even a parked domain (no mail) should have DMARC, otherwise an attacker can spoof your name in phishing.
How do I read an aggregate report?
It is XML. Services like dmarcian.com, dmarcanalyzer.com, postmaster.google.com parse and visualise it — free tiers are usually enough.
How long before switching to reject?
Minimum 2 weeks of p=none monitoring. Optimal: 4 weeks p=none → 2 weeks p=quarantine pct=25 → 2 weeks pct=100 → p=reject. About 2 months total.